* [PATCH v2 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
@ 2026-02-20 19:29 Kohei Enju
2026-02-23 11:32 ` Toke Høiland-Jørgensen
0 siblings, 1 reply; 3+ messages in thread
From: Kohei Enju @ 2026-02-20 19:29 UTC (permalink / raw)
To: netdev, bpf
Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
Stanislav Fomichev, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo,
Jiri Olsa, Jussi Maki, Toke Høiland-Jørgensen,
kohei.enju, Kohei Enju, syzbot+10cc7f13760b31bd2e61
get_upper_ifindexes() iterates over all upper devices and writes their
indices into an array without checking bounds.
Also the callers assume that the max number of upper devices is
MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
but that assumption is not correct and the number of upper devices could
be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
stack-out-of-bounds write.
Add a max parameter to get_upper_ifindexes() to avoid the issue.
To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
Then send a packet to the device to trigger the XDP redirect path.
Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
Signed-off-by: Kohei Enju <kohei@enjuk.jp>
---
Changes:
v2:
- fix formatting, accounting that max-line-length is 100
v1: https://lore.kernel.org/bpf/20260216201428.65641-1-kohei@enjuk.jp/
---
kernel/bpf/devmap.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 2625601de76e..c8c49d86a403 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -588,16 +588,18 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
}
/* Get ifindex of each upper device. 'indexes' must be able to hold at
- * least MAX_NEST_DEV elements.
+ * least 'max' elements.
* Returns the number of ifindexes added.
*/
-static int get_upper_ifindexes(struct net_device *dev, int *indexes)
+static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
{
struct net_device *upper;
struct list_head *iter;
int n = 0;
netdev_for_each_upper_dev_rcu(dev, upper, iter) {
+ if (n >= max)
+ break;
indexes[n++] = upper->ifindex;
}
return n;
@@ -615,7 +617,8 @@ int dev_map_enqueue_multi(struct xdp_frame *xdpf, struct net_device *dev_rx,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev_rx, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev_rx, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
excluded_devices[num_excluded++] = dev_rx->ifindex;
}
@@ -733,7 +736,8 @@ int dev_map_redirect_multi(struct net_device *dev, struct sk_buff *skb,
int err;
if (exclude_ingress) {
- num_excluded = get_upper_ifindexes(dev, excluded_devices);
+ num_excluded = get_upper_ifindexes(dev, excluded_devices,
+ ARRAY_SIZE(excluded_devices) - 1);
excluded_devices[num_excluded++] = dev->ifindex;
}
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH v2 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
2026-02-20 19:29 [PATCH v2 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes() Kohei Enju
@ 2026-02-23 11:32 ` Toke Høiland-Jørgensen
2026-02-23 13:32 ` Kohei Enju
0 siblings, 1 reply; 3+ messages in thread
From: Toke Høiland-Jørgensen @ 2026-02-23 11:32 UTC (permalink / raw)
To: Kohei Enju, netdev, bpf
Cc: Alexei Starovoitov, Daniel Borkmann, David S. Miller,
Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
Stanislav Fomichev, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo,
Jiri Olsa, Jussi Maki, kohei.enju, Kohei Enju,
syzbot+10cc7f13760b31bd2e61
Kohei Enju <kohei@enjuk.jp> writes:
> get_upper_ifindexes() iterates over all upper devices and writes their
> indices into an array without checking bounds.
>
> Also the callers assume that the max number of upper devices is
> MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
> but that assumption is not correct and the number of upper devices could
> be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
> stack-out-of-bounds write.
>
> Add a max parameter to get_upper_ifindexes() to avoid the issue.
>
> To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
> an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
> Then send a packet to the device to trigger the XDP redirect path.
>
> Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
> Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
> Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> ---
> Changes:
> v2:
> - fix formatting, accounting that max-line-length is 100
> v1: https://lore.kernel.org/bpf/20260216201428.65641-1-kohei@enjuk.jp/
> ---
> kernel/bpf/devmap.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
> index 2625601de76e..c8c49d86a403 100644
> --- a/kernel/bpf/devmap.c
> +++ b/kernel/bpf/devmap.c
> @@ -588,16 +588,18 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
> }
>
> /* Get ifindex of each upper device. 'indexes' must be able to hold at
> - * least MAX_NEST_DEV elements.
> + * least 'max' elements.
> * Returns the number of ifindexes added.
> */
> -static int get_upper_ifindexes(struct net_device *dev, int *indexes)
> +static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
> {
> struct net_device *upper;
> struct list_head *iter;
> int n = 0;
>
> netdev_for_each_upper_dev_rcu(dev, upper, iter) {
> + if (n >= max)
> + break;
Hmm, how about returning an error here, and aborting the redirect
entirely? This silent truncation to an arbitrary number seems a bit
surprising, and very hard to debug. With an error, there will at least
be an error tracepoint to catch the failure.
-Toke
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH v2 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes()
2026-02-23 11:32 ` Toke Høiland-Jørgensen
@ 2026-02-23 13:32 ` Kohei Enju
0 siblings, 0 replies; 3+ messages in thread
From: Kohei Enju @ 2026-02-23 13:32 UTC (permalink / raw)
To: Toke Høiland-Jørgensen
Cc: netdev, bpf, Alexei Starovoitov, Daniel Borkmann, David S. Miller,
Jakub Kicinski, Jesper Dangaard Brouer, John Fastabend,
Stanislav Fomichev, Andrii Nakryiko, Martin KaFai Lau,
Eduard Zingerman, Song Liu, Yonghong Song, KP Singh, Hao Luo,
Jiri Olsa, Jussi Maki, kohei.enju, syzbot+10cc7f13760b31bd2e61
On 02/23 12:32, Toke Høiland-Jørgensen wrote:
> Kohei Enju <kohei@enjuk.jp> writes:
>
> > get_upper_ifindexes() iterates over all upper devices and writes their
> > indices into an array without checking bounds.
> >
> > Also the callers assume that the max number of upper devices is
> > MAX_NEST_DEV and allocate excluded_devices[1+MAX_NEST_DEV] on the stack,
> > but that assumption is not correct and the number of upper devices could
> > be larger than MAX_NEST_DEV (e.g., many macvlans), causing a
> > stack-out-of-bounds write.
> >
> > Add a max parameter to get_upper_ifindexes() to avoid the issue.
> >
> > To reproduce, create more than MAX_NEST_DEV(8) macvlans on a device with
> > an XDP program attached using BPF_F_BROADCAST | BPF_F_EXCLUDE_INGRESS.
> > Then send a packet to the device to trigger the XDP redirect path.
> >
> > Reported-by: syzbot+10cc7f13760b31bd2e61@syzkaller.appspotmail.com
> > Closes: https://lore.kernel.org/all/698c4ce3.050a0220.340abe.000b.GAE@google.com/T/
> > Fixes: aeea1b86f936 ("bpf, devmap: Exclude XDP broadcast to master device")
> > Signed-off-by: Kohei Enju <kohei@enjuk.jp>
> > ---
> > Changes:
> > v2:
> > - fix formatting, accounting that max-line-length is 100
> > v1: https://lore.kernel.org/bpf/20260216201428.65641-1-kohei@enjuk.jp/
> > ---
> > kernel/bpf/devmap.c | 12 ++++++++----
> > 1 file changed, 8 insertions(+), 4 deletions(-)
> >
> > diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
> > index 2625601de76e..c8c49d86a403 100644
> > --- a/kernel/bpf/devmap.c
> > +++ b/kernel/bpf/devmap.c
> > @@ -588,16 +588,18 @@ static inline bool is_ifindex_excluded(int *excluded, int num_excluded, int ifin
> > }
> >
> > /* Get ifindex of each upper device. 'indexes' must be able to hold at
> > - * least MAX_NEST_DEV elements.
> > + * least 'max' elements.
> > * Returns the number of ifindexes added.
> > */
> > -static int get_upper_ifindexes(struct net_device *dev, int *indexes)
> > +static int get_upper_ifindexes(struct net_device *dev, int *indexes, int max)
> > {
> > struct net_device *upper;
> > struct list_head *iter;
> > int n = 0;
> >
> > netdev_for_each_upper_dev_rcu(dev, upper, iter) {
> > + if (n >= max)
> > + break;
>
> Hmm, how about returning an error here, and aborting the redirect
> entirely? This silent truncation to an arbitrary number seems a bit
> surprising, and very hard to debug. With an error, there will at least
> be an error tracepoint to catch the failure.
>
> -Toke
Hi, Toke.
Thanks for the review.
Indeed I agree that silent truncation is surprising and hard to debug.
I'll send a v3 that returns -EOVERFLOW and aborts the redirect when
there are too many upper devices.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-02-23 13:33 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-20 19:29 [PATCH v2 bpf] bpf: devmap: fix stack-out-of-bounds write in get_upper_ifindexes() Kohei Enju
2026-02-23 11:32 ` Toke Høiland-Jørgensen
2026-02-23 13:32 ` Kohei Enju
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox